Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


[Minifilter] How can i get file name with extension in IRP_MN_QUERY_DIRECTORY?

r1ng0to3tourr1ng0to3tour Member Posts: 4
edited November 2018 in NTFSD

I want to write a minifilter driver for detecting delete operation on files, i can handle that with microsoft minifilter delete sample.
i saw can not detect if file delete or move to "Recycle Bin", i search about this problem and saw that can detect this operation with IRP_MJ_DIRECTORY_CONTROL in IRP_MN_QUERY_DIRECTORY.

But now my problem is with FltGetFileNameInformation or FltGetDestinationFileNameInformation i can get directory path without name.

How can i get file name and extension with full path? Is there a better way or suggestion?

Comments

  • Peter_ScottPeter_Scott Member - All Emails Posts: 749
    via Email
    For a 'soft' delete, that is a delete which goes to the recycler, it is implemented through rename processing. The file/directory gets renamed into a target name in the recycler path so you can detect the target name of the rename that has a path of one of the various recycler path names. Note that the target file name itself is not the same file name being 'deleted'.

    Pete

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

  • r1ng0to3tourr1ng0to3tour Member Posts: 4

    Thank you Peter Scott!
    My problem solved with IRP_MJ_SET_INFORMATION callback in FileRenameInformation and FileRenameInformationEx

    But is it possible to get the file name and extension on IRP_MJ_DIRECTORY_CONTROL->IRP_MN_NOTIFY_CHANGE_DIRECTORY callback?

  • Peter_ScottPeter_Scott Member - All Emails Posts: 749
    via Email
    Are asking if you can get the file name of a file during the directory control query via the FltGFNI API? The file object being processed is that of the parent directory so no, you can't in that context since it is the directory that is open and not the file. You can parse the content of the directory listing and build up the name but I suspect this is not what you are after.

    Pete

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA